Which SIEM platforms have a T1185 detection rule?

df00tech provides T1185 (Browser Session Hijacking) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1185 detection?

The T1185 detection is rated high severity with high confidence.

What are common false positives for T1185?

Common false positives for T1185 include: Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content; Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill; Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers.

T1185

Browser Session Hijacking

Q: What data sources are required to detect Browser Session Hijacking (T1185)?

Detecting Browser Session Hijacking requires the following data sources: Process: Process Access, Module: Module Load, Microsoft Defender for Endpoint DeviceEvents, Microsoft Defender for Endpoint DeviceImageLoadEvents.

Collection Last updated: April 20, 2026

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates.

What is T1185 Browser Session Hijacking?

Browser Session Hijacking (T1185) maps to the Collection tactic — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.

This page provides production-ready detection logic for Browser Session Hijacking, covering the data sources and telemetry it touches: Process: Process Access, Module: Module Load, Microsoft Defender for Endpoint DeviceEvents, Microsoft Defender for Endpoint DeviceImageLoadEvents. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Collection
Technique: T1185 Browser Session Hijacking
Canonical reference: https://attack.mitre.org/techniques/T1185/

Microsoft Sentinel / Defender

kusto

let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "microsoftedge.exe", "brave.exe", "opera.exe", "safari.exe"]);
let KnownGoodInjectors = dynamic(["MsMpEng.exe", "csrss.exe", "werfault.exe", "WerFaultSecure.exe", "dwm.exe", "taskmgr.exe"]);
// === Detection 1: Process injection into browser processes ===
let BrowserInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("CreateRemoteThreadApiCall", "WriteProcessMemoryApiCall", "SetThreadContextRemoteApiCall", "QueueUserApcRemoteApiCall", "OpenProcessApiCall")
| where FileName in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (KnownGoodInjectors)
| extend InjectionMethod = case(
    ActionType == "CreateRemoteThreadApiCall", "Remote thread injection",
    ActionType == "WriteProcessMemoryApiCall", "Memory write injection",
    ActionType == "SetThreadContextRemoteApiCall", "Thread context hijacking",
    ActionType == "QueueUserApcRemoteApiCall", "APC queue injection",
    ActionType == "OpenProcessApiCall", "Suspicious process handle open",
    "Unknown injection"
)
| project Timestamp, DeviceName, AccountName, DetectionSource="ProcessInjection",
         InjectionMethod, TargetBrowser=FileName,
         InjectorProcess=InitiatingProcessFileName,
         InjectorCommandLine=InitiatingProcessCommandLine,
         InjectorParent=InitiatingProcessParentFileName;
// === Detection 2: Suspicious DLL loads inside browser processes ===
let SuspiciousBrowserDllLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where not(FolderPath has_any (
    "\\Google\\Chrome\\", "\\Mozilla Firefox\\", "\\Microsoft\\Edge\\",
    "\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\Windows\\WinSxS\\",
    "\\Program Files\\Google\\", "\\Program Files (x86)\\Mozilla\\",
    "\\Program Files\\Microsoft\\", "\\Program Files (x86)\\Microsoft\\"
))
| where not(FileName has_any ("d3d", "opengl", "vulkan", "nvidia", "amd", "intel"))
| project Timestamp, DeviceName, AccountName, DetectionSource="SuspiciousDllLoad",
         InjectionMethod="Reflective/manual DLL load in browser",
         TargetBrowser=InitiatingProcessFileName,
         InjectorProcess=FileName,
         InjectorCommandLine=FolderPath,
         InjectorParent=InitiatingProcessParentFileName;
// === Combine and surface ===
BrowserInjection
| union SuspiciousBrowserDllLoads
| sort by Timestamp desc

Detects browser session hijacking via two complementary signals in Microsoft Defender for Endpoint: (1) process injection events targeting browser processes — CreateRemoteThread, WriteProcessMemory, SetThreadContext, APC queue injection, and suspicious OpenProcess API calls against chrome.exe, msedge.exe, firefox.exe, and others from unexpected initiating processes; (2) unexpected DLL loads inside browser processes from non-standard paths, which indicate reflective injection or manual DLL mapping used by web inject malware families such as TrickBot, Dridex, IcedID, and Cobalt Strike. Legitimate browser security tools (MsMpEng.exe, WerFault.exe) and inter-browser IPC are excluded to reduce false positives.

high severity high confidence

Data Sources

Process: Process Access Module: Module Load Microsoft Defender for Endpoint DeviceEvents Microsoft Defender for Endpoint DeviceImageLoadEvents

Required Tables

DeviceEvents DeviceImageLoadEvents

False Positives

Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content
Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill
Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers
Crash reporting and debugging tools (Visual Studio debugger, Process Monitor) opening handles to browser processes during development or troubleshooting
Endpoint detection products performing memory scanning may trigger OpenProcessApiCall events against browser processes during scheduled scans

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=8 OR EventCode=10 OR EventCode=7)
(
  TargetImage="*\\chrome.exe" OR TargetImage="*\\msedge.exe" OR
  TargetImage="*\\firefox.exe" OR TargetImage="*\\iexplore.exe" OR
  TargetImage="*\\brave.exe" OR TargetImage="*\\opera.exe" OR
  TargetImage="*\\microsoftedge.exe"
)
NOT (
  SourceImage="*\\chrome.exe" OR SourceImage="*\\msedge.exe" OR
  SourceImage="*\\firefox.exe" OR SourceImage="*\\MsMpEng.exe" OR
  SourceImage="*\\WerFault.exe" OR SourceImage="*\\csrss.exe" OR
  SourceImage="*\\dwm.exe"
)
| eval InjectionType=case(
    EventCode=8, "CreateRemoteThread in browser",
    EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+"), "Full-access process handle to browser",
    EventCode=10 AND match(GrantedAccess, "0x[0-9A-Fa-f]*3[89AB][0-9A-Fa-f]*"), "VM Read/Write handle to browser",
    EventCode=10, "ProcessAccess to browser",
    EventCode=7, "DLL injection candidate",
    true(), "Unknown"
)
| eval IsHighRisk=if(EventCode=8 OR (EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+")), 1, 0)
| eval SourceProcess=coalesce(SourceImage, Image)
| eval TargetProcess=coalesce(TargetImage, "n/a")
| table _time, host, User, EventCode, InjectionType, IsHighRisk,
        SourceProcess, TargetProcess, GrantedAccess, CallTrace, StartFunction
| sort - IsHighRisk, - _time

Detects browser session hijacking attempts using Sysmon operational logs across three event types: EventCode=8 (CreateRemoteThread) where a non-browser process creates a remote thread inside a browser process — the hallmark of Cobalt Strike browser pivoting and web inject loaders; EventCode=10 (ProcessAccess) where unexpected processes open handles to browsers with full-access (0x1F0FFF) or VM read/write rights required for memory manipulation; EventCode=7 (ImageLoad) for DLL loads in browser context from suspicious paths. GrantedAccess matching on high-privilege access masks surfaces the most critical injection attempts. Results are sorted by risk level then recency to prioritize analyst triage.

high severity high confidence

Data Sources

Process: Process Access Process: Process Creation Module: Module Load Sysmon Event ID 8 (CreateRemoteThread) Sysmon Event ID 10 (ProcessAccess) Sysmon Event ID 7 (ImageLoad)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Screen reader and accessibility software (NVDA, JAWS) that legitimately hook browser processes for content reading
Password manager desktop agents opening read handles to browsers for autofill synchronization
Security products with browser protection modules (DLP agents, SSO clients) that load helper DLLs into browser context
Developer debugging sessions using Visual Studio or WinDbg attaching to browser processes for front-end debugging
Electron-based applications that embed Chromium may show similar EventCode=10 patterns when managing their embedded browser engine

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe", "microsoftedge.exe") and
   event.action == "start"]
  [process where event.action in ("access", "ptrace") and
   target.process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe", "microsoftedge.exe") and
   not process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "MsMpEng.exe", "WerFault.exe", "csrss.exe", "dwm.exe", "taskmgr.exe")]

OR

sequence by host.id, process.pid with maxspan=2m
  [process where process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe") and event.type == "start"]
  [library where process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe") and
   not dll.path : (
     "?:\\Program Files\\Google\\Chrome\\*",
     "?:\\Program Files\\Mozilla Firefox\\*",
     "?:\\Program Files\\Microsoft\\Edge\\*",
     "?:\\Windows\\System32\\*",
     "?:\\Windows\\SysWOW64\\*",
     "?:\\Windows\\WinSxS\\*"
   ) and
   not dll.name : ("d3d*.dll", "opengl*.dll", "nvoglv*.dll", "atig6*.dll", "ig*.dll")]

Detects browser session hijacking via process injection into browser processes or suspicious DLL loads inside browser processes. Uses EQL sequences to correlate browser process start with subsequent injection API calls or anomalous library loads from non-standard paths.

high severity medium confidence

Data Sources

Windows Sysmon (event.action process access/ptrace) Endpoint agent with DLL/library load events Elastic Endpoint Security or Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* winlogbeat-*

False Positives

Security tools such as CrowdStrike Falcon sensor or Carbon Black may legitimately access browser processes for monitoring purposes
Screen recording or accessibility software (e.g., Zoom, screen readers) may load DLLs into browser processes
Browser extensions distributed as standalone DLLs loaded from non-default paths
Development/debugging tools like Visual Studio or WinDbg attaching to browsers during web development
Password managers with browser integration loading helper DLLs from custom paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  hostname AS Host,
  QIDNAME(qid) AS EventName,
  "SourceImage" AS InjectorProcess,
  "TargetImage" AS TargetBrowser,
  "GrantedAccess" AS AccessMask,
  CATEGORYNAME(category) AS Category,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND (
    (qid IN (
      SELECT qid FROM QIDMap WHERE qidname ILIKE '%CreateRemoteThread%'
        OR qidname ILIKE '%ProcessAccess%'
        OR qidname ILIKE '%ImageLoad%'
    ))
    OR ("EventID" IN ('8', '10', '7'))
  )
  AND (
    "TargetImage" ILIKE '%\\chrome.exe'
    OR "TargetImage" ILIKE '%\\msedge.exe'
    OR "TargetImage" ILIKE '%\\firefox.exe'
    OR "TargetImage" ILIKE '%\\iexplore.exe'
    OR "TargetImage" ILIKE '%\\brave.exe'
    OR "TargetImage" ILIKE '%\\opera.exe'
    OR "TargetImage" ILIKE '%\\microsoftedge.exe'
  )
  AND NOT (
    "SourceImage" ILIKE '%\\chrome.exe'
    OR "SourceImage" ILIKE '%\\msedge.exe'
    OR "SourceImage" ILIKE '%\\firefox.exe'
    OR "SourceImage" ILIKE '%\\MsMpEng.exe'
    OR "SourceImage" ILIKE '%\\WerFault.exe'
    OR "SourceImage" ILIKE '%\\csrss.exe'
    OR "SourceImage" ILIKE '%\\dwm.exe'
    OR "SourceImage" ILIKE '%\\taskmgr.exe'
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

Detects browser session hijacking in QRadar by querying Sysmon events for CreateRemoteThread (Event 8), ProcessAccess (Event 10), and ImageLoad (Event 7) targeting browser processes from non-whitelisted sources. Correlates source and target process images to identify injection candidates.

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (forwarded via WinCollect or syslog) Windows Event Forwarding to QRadar

Required Tables

events

False Positives

Endpoint security agents (e.g., Symantec, McAfee, Trend Micro) legitimately access browser processes
Application performance monitoring tools that attach to browser processes
Browser developer tools or remote debugging sessions
Legitimate browser automation frameworks such as Selenium WebDriver
IT management agents performing inventory or patch management tasks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon ("EventCode=8" OR "EventCode=10" OR "EventCode=7")
| parse regex "<EventID>(?<EventCode>\d+)<\/EventID>"
| parse regex "TargetImage>(?<TargetImage>[^<]+)<" nodrop
| parse regex "SourceImage>(?<SourceImage>[^<]+)<" nodrop
| parse regex "ImageLoaded>(?<ImageLoaded>[^<]+)<" nodrop
| parse regex "GrantedAccess>(?<GrantedAccess>[^<]+)<" nodrop
| parse regex "User>(?<User>[^<]+)<" nodrop
| where (TargetImage matches "*\\chrome.exe"
      OR TargetImage matches "*\\msedge.exe"
      OR TargetImage matches "*\\firefox.exe"
      OR TargetImage matches "*\\iexplore.exe"
      OR TargetImage matches "*\\brave.exe"
      OR TargetImage matches "*\\opera.exe"
      OR TargetImage matches "*\\microsoftedge.exe")
      OR (EventCode = "7" AND (ImageLoaded matches "*\\chrome.exe" OR ImageLoaded matches "*\\firefox.exe" OR ImageLoaded matches "*\\msedge.exe"))
| where NOT (SourceImage matches "*\\chrome.exe"
          OR SourceImage matches "*\\msedge.exe"
          OR SourceImage matches "*\\firefox.exe"
          OR SourceImage matches "*\\MsMpEng.exe"
          OR SourceImage matches "*\\WerFault.exe"
          OR SourceImage matches "*\\csrss.exe"
          OR SourceImage matches "*\\dwm.exe"
          OR SourceImage matches "*\\taskmgr.exe")
| eval InjectionType = if(EventCode = "8", "CreateRemoteThread in browser",
    if(EventCode = "10", "ProcessAccess to browser",
    if(EventCode = "7", "Suspicious DLL load in browser", "Unknown")))
| eval IsHighRisk = if(EventCode = "8", "true",
    if(EventCode = "10" AND GrantedAccess matches "0x1[Ff]*", "true", "false"))
| fields _messageTime, _sourceHost, User, EventCode, InjectionType, IsHighRisk, SourceImage, TargetImage, GrantedAccess, ImageLoaded
| sort by IsHighRisk desc, _messageTime desc

Detects browser session hijacking via Sysmon events in Sumo Logic. Parses XML Sysmon event data to identify CreateRemoteThread, ProcessAccess, and ImageLoad events targeting browser processes, with classification of injection type and risk level.

high severity medium confidence

Data Sources

Sumo Logic with Sysmon data collected via Installed Collector Windows Event Log source with Sysmon/Operational channel Sumo Logic Cloud-to-Cloud for Windows endpoints

Required Tables

windows/sysmon source category

False Positives

Antivirus or EDR solutions with behavior monitoring that access browser processes
Browser-based screen sharing tools loading helper DLLs
Legitimate software with browser integration such as LastPass or 1Password extensions
Developer debugging sessions with process attachment
Remote administration tools that leverage browser processes for UI interaction

Google Chronicle / SecOps

yaral

rule t1185_browser_session_hijacking {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects browser session hijacking via process injection or DLL load into browser processes"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1185"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Detection 1: CreateRemoteThread into browser
    $inject.metadata.event_type = "PROCESS_INJECTION"
    $inject.target.process.file.full_path = /(?i)(chrome|msedge|firefox|iexplore|brave|opera|microsoftedge)\.exe$/
    not $inject.principal.process.file.full_path = /(?i)(chrome|msedge|firefox|MsMpEng|WerFault|csrss|dwm|taskmgr)\.exe$/
    $inject.principal.hostname = $host

  OR

    // Detection 2: Suspicious library load inside browser process
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    $load.principal.process.file.full_path = /(?i)(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
    not $load.target.file.full_path = /(?i)(Program Files\\(Google\\Chrome|Mozilla Firefox|Microsoft\\Edge)|Windows\\(System32|SysWOW64|WinSxS))/
    not $load.target.file.full_path = /(?i)(d3d|opengl|vulkan|nvidia|amd|intel)/
    $load.principal.hostname = $host

  condition:
    $inject or $load
}

Chronicle YARA-L 2.0 rule detecting browser session hijacking through two complementary patterns: process injection events targeting browser executables from non-whitelisted injectors, and suspicious DLL/module loads inside browser processes from outside standard browser installation paths. Uses UDM event types PROCESS_INJECTION and PROCESS_MODULE_LOAD.

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry forwarded to Chronicle (via forwarder or ingestion API) Windows Defender for Endpoint via Chronicle integration CrowdStrike Falcon data ingested into Chronicle

Required Tables

UDM events with metadata.event_type PROCESS_INJECTION UDM events with metadata.event_type PROCESS_MODULE_LOAD

False Positives

Legitimate security software accessing browser processes for scanning or monitoring
Browser developer extensions that load DLLs from custom installation paths
Third-party password managers or accessibility tools with browser integration
Automated testing frameworks using browser instrumentation APIs
Update managers or software distribution agents that access browser processes

CrowdStrike LogScale (CQL)

cql

// Detection 1: Suspicious process injection into browser processes
#event_simpleName = "CreateRemoteThreadV2" OR #event_simpleName = "WriteProcessMemory" OR #event_simpleName = "SetThreadContext"
| TargetImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera|microsoftedge)\.exe$/
| SourceImageFileName != /(?i)(chrome|msedge|firefox|MsMpEng|WerFault|WerFaultSecure|csrss|dwm|taskmgr)\.exe$/
| eval InjectionMethod = case(
    #event_simpleName = "CreateRemoteThreadV2", "Remote thread injection",
    #event_simpleName = "WriteProcessMemory", "Memory write injection",
    #event_simpleName = "SetThreadContext", "Thread context hijacking",
    "Unknown"
)
| table _time, ComputerName, UserName, InjectionMethod, SourceImageFileName, TargetImageFileName, TargetProcessId, SourceProcessId
| sort _time desc

// Detection 2: Suspicious DLL loads inside browser processes (union)
OR

#event_simpleName = "ClassifiedModuleLoad"
| ImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
| NOT ModuleFilePath = /(?i)(\\Program Files\\(Google\\Chrome|Mozilla Firefox|Microsoft\\Edge)|\\Windows\\(System32|SysWOW64|WinSxS))/
| NOT ModuleFilePath = /(?i)(d3d|opengl|vulkan|nvog|atig|ig[0-9])/
| eval InjectionMethod = "Suspicious module load in browser"
| table _time, ComputerName, UserName, InjectionMethod, ImageFileName, ModuleFilePath, ModuleImageFilePath
| sort _time desc

Detects browser session hijacking in CrowdStrike Falcon LogScale using Falcon event types for remote thread creation, memory writes, and thread context modification targeting browser processes. Also detects suspicious DLL/module loads within browser processes from non-standard paths.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike LogScale (formerly Humio) Falcon Data Replicator (FDR) event stream

Required Tables

Falcon event stream: CreateRemoteThreadV2 Falcon event stream: WriteProcessMemory Falcon event stream: SetThreadContext Falcon event stream: ClassifiedModuleLoad

False Positives

CrowdStrike sensor itself may generate events when performing process inspection for threat detection
Third-party AV or EDR products that co-exist with Falcon and access browser processes
Legitimate browser helper objects or extensions that load as DLLs from custom enterprise software directories
IT operations tooling such as BigFix or Tanium that may access browser process memory for inventory
Browser-based RPA tools that instrument browser processes programmatically

Sigma rule & cross-platform mapping

The detection logic for Browser Session Hijacking (T1185) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1185 Sigma rules on detection.fyi

Platform-specific guides for T1185

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Browser Process Enumeration and Handle Open (ReadVM Access)
Expected signal: Sysmon EventCode=10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=<browser>.exe, GrantedAccess=0x10 (PROCESS_VM_READ), CallTrace will show the kernel32.dll and ntdll.dll call stack. MDE DeviceEvents ActionType=OpenProcessApiCall with FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe.
Test 2Chrome Cookie Database Exfiltration via File Copy
Expected signal: Sysmon EventCode=11 (FileCreate): TargetFilename=%TEMP%\argus_test_cookies_*.db, Image=powershell.exe. Sysmon EventCode=1 (ProcessCreate): powershell.exe with command line referencing LOCALAPPDATA\Google\Chrome\User Data. MDE DeviceFileEvents with ActionType=FileCreated, FileName=argus_test_cookies_*.db, InitiatingProcessFileName=powershell.exe.
Test 3Browser Proxy Configuration via Registry (Browser Pivot Simulation)
Expected signal: Sysmon EventCode=13 (RegistryValueSet): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer, Details=127.0.0.1:4444, Image=powershell.exe. Second EventCode=13 for ProxyEnable=1. MDE DeviceRegistryEvents with ActionType=RegistryValueSet, RegistryValueName=ProxyServer, RegistryValueData=127.0.0.1:4444.
Test 4CreateRemoteThread Simulation into Browser Process (Benign Payload)
Expected signal: Sysmon EventCode=8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=<browser>.exe, StartAddress=<kernel32!Sleep address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=Sleep. MDE DeviceEvents ActionType=CreateRemoteThreadApiCall, FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe. Security Event ID 4688 for the PowerShell process if command line auditing is enabled.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1185 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Browser Session Hijacking

What is T1185 Browser Session Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1185

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

What is T1185 Browser Session Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1185

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox